heap-use-after-free in ecma_regexp_split_helper #3760
Description
JerryScript revision
Build platform
Linux-4.15.0-88-generic-x86_64-with-Ubuntu-18.04-bionic
Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var split = RegExp.prototype[Symbol.split];
split.call({[Symbol.match]: "g"})Output
=================================================================
==45542==ERROR: AddressSanitizer: heap-use-after-free on address 0xf5302230 at pc 0x56799ad5 bp 0xffe5d388 sp 0xffe5d378
READ of size 4 at 0xf5302230 thread T0
#0 0x56799ad4 in ecma_deref_ecma_string jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:806
#1 0x5671159e in ecma_regexp_split_helper jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1815
#2 0x566a8afc in ecma_builtin_regexp_prototype_symbol_split jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:680
#3 0x566a6fd5 in ecma_builtin_regexp_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.inc.h:60
#4 0x5675e5bb in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#5 0x5675e793 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#6 0x5673723a in ecma_op_function_call_simple jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#7 0x5673810a in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#8 0x566da602 in ecma_builtin_function_prototype_object_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:191
#9 0x566db00d in ecma_builtin_function_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:414
#10 0x5675e5bb in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#11 0x5675e793 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#12 0x5673723a in ecma_op_function_call_simple jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#13 0x5673810a in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#14 0x566fe79d in opfunc_call.lto_priv.462 jerryscript/jerry-core/vm/vm.c:764
#15 0x566bf814 in vm_execute jerryscript/jerry-core/vm/vm.c:4130
#16 0x566bfd8c in vm_run jerryscript/jerry-core/vm/vm.c:4232
#17 0x566fcde9 in vm_run_global jerryscript/jerry-core/vm/vm.c:321
#18 0x56780911 in jerry_run jerryscript/jerry-core/api/jerry.c:596
#19 0x5677cefb in main jerryscript/jerry-main/main-unix.c:759
#20 0xf7712e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
#21 0x56658290 (jerryscript/build_gcc_asan_es2015/bin/jerry+0x1a290)
0xf5302230 is located 0 bytes inside of 22-byte region [0xf5302230,0xf5302246)
freed by thread T0 here:
#0 0xf79d8b94 in __interceptor_free (/usr/lib32/libasan.so.4+0xe5b94)
#1 0x5671bc40 in jmem_heap_free_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:476
#2 0x5671bfeb in jmem_heap_free_block jerryscript/jerry-core/jmem/jmem-heap.c:685
#3 0x566bff1e in ecma_dealloc_string_buffer jerryscript/jerry-core/ecma/base/ecma-alloc.c:208
#4 0x56799dbc in ecma_destroy_ecma_string jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:844
#5 0x56799b60 in ecma_deref_ecma_string jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:816
#6 0x567a425b in ecma_free_value jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1063
#7 0x566a8f23 in ecma_builtin_regexp_dispatch_helper jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp.c:186
#8 0x566a8f9d in ecma_builtin_regexp_dispatch_construct jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp.c:223
#9 0x5675eafa in ecma_builtin_dispatch_construct jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1160
#10 0x56738591 in ecma_op_function_construct jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1229
#11 0x56711587 in ecma_regexp_split_helper jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1813
#12 0x566a8afc in ecma_builtin_regexp_prototype_symbol_split jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:680
#13 0x566a6fd5 in ecma_builtin_regexp_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.inc.h:60
#14 0x5675e5bb in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#15 0x5675e793 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#16 0x5673723a in ecma_op_function_call_simple jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#17 0x5673810a in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#18 0x566da602 in ecma_builtin_function_prototype_object_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:191
#19 0x566db00d in ecma_builtin_function_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:414
#20 0x5675e5bb in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#21 0x5675e793 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#22 0x5673723a in ecma_op_function_call_simple jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#23 0x5673810a in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#24 0x566fe79d in opfunc_call.lto_priv.462 jerryscript/jerry-core/vm/vm.c:764
#25 0x566bf814 in vm_execute jerryscript/jerry-core/vm/vm.c:4130
#26 0x566bfd8c in vm_run jerryscript/jerry-core/vm/vm.c:4232
#27 0x566fcde9 in vm_run_global jerryscript/jerry-core/vm/vm.c:321
#28 0x56780911 in jerry_run jerryscript/jerry-core/api/jerry.c:596
#29 0x5677cefb in main jerryscript/jerry-main/main-unix.c:759
previously allocated by thread T0 here:
#0 0xf79d9304 in __interceptor_realloc (/usr/lib32/libasan.so.4+0xe6304)
#1 0x5671bfc3 in jmem_heap_realloc_block jerryscript/jerry-core/jmem/jmem-heap.c:674
#2 0x567a0a78 in ecma_stringbuilder_grow jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:2507
#3 0x567a0fbf in ecma_stringbuilder_append_byte jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:2630
#4 0x56711492 in ecma_regexp_split_helper jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1805
#5 0x566a8afc in ecma_builtin_regexp_prototype_symbol_split jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:680
#6 0x566a6fd5 in ecma_builtin_regexp_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.inc.h:60
#7 0x5675e5bb in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#8 0x5675e793 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#9 0x5673723a in ecma_op_function_call_simple jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#10 0x5673810a in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#11 0x566da602 in ecma_builtin_function_prototype_object_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:191
#12 0x566db00d in ecma_builtin_function_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:414
#13 0x5675e5bb in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#14 0x5675e793 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#15 0x5673723a in ecma_op_function_call_simple jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#16 0x5673810a in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#17 0x566fe79d in opfunc_call.lto_priv.462 jerryscript/jerry-core/vm/vm.c:764
#18 0x566bf814 in vm_execute jerryscript/jerry-core/vm/vm.c:4130
#19 0x566bfd8c in vm_run jerryscript/jerry-core/vm/vm.c:4232
#20 0x566fcde9 in vm_run_global jerryscript/jerry-core/vm/vm.c:321
#21 0x56780911 in jerry_run jerryscript/jerry-core/api/jerry.c:596
#22 0x5677cefb in main jerryscript/jerry-main/main-unix.c:759
#23 0xf7712e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
SUMMARY: AddressSanitizer: heap-use-after-free jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:806 in ecma_deref_ecma_string
Shadow bytes around the buggy address:
0x3ea603f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea60400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea60410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea60420: fa fa fa fa fa fa fa fa 00 00 00 fa fa fa 00 00
0x3ea60430: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x3ea60440: 00 00 00 fa fa fa[fd]fd fd fa fa fa fd fd fd fa
0x3ea60450: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fa fa
0x3ea60460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea60470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea60480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea60490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==45542==ABORTING
Found by Fuzzinator with grammarinator.